WATS Version 1.0 by Professor Falken & The Aptolcater

(v1.0)(c)1992
(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)

*
*
**
***
**** **** ******* ************** ******
**** * **** *** *** ************ *****
**** *** **** *** *** **** *****
**** *** **** *** ** *** **** *****
**** * * **** *** *** **** *****
***** ***** *** *** **** *****
**** **** *** *** ******
*** ** *******
** * ********
*

VERSION 1.0

800 / 900 Company Ownership Reverse Database

by

Professor Falken & The Aptolcater

(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)
(K-k00L graFiX!)

INTRODUCTION
————

Welcome to WATS!!! WATS is basically an 800 or 900 company exchange
ownership definer. It is VERY similar to the ‘800’ reverse directory
option off of my old program ‘Phreak Tools.’ However, this version is
command line driven, much like my last program ‘CNA Finder v2.0’. This
program has been written under Microsoft C/C++ 7.0 and uses full optimization
for speed of use. WATS is very well behaved, so don’t fear its use under a
multitasking / DOS shell environment.

800 BACKGROUND
————–

The Bell System offered some of the first ‘collect’ calls to numbers
under the ‘ZENITH’ program. To place a collect call to a party which has
been designated a ‘ZENITH’ (Today it would be a normal 800 WATS-line)
telephone number, the caller would dial the operator and give her a
ZENITH number. Usually the ZENITH numbers were four digits long,
the ones I can remember always ended with x000’s. For instance, Northern
States Power’s old Power-Line Emergency number was ZENITH 7000. While
ZENITH guaranteed a called parties acceptance of a charge call, it
still required an operator to manually route the call, putting an extra
burden on the telephone system (yeah right, it MADE jobs!).

But low and behold, a better way of dialing collect was devised,
the 800 WATS areacode. 800 WATS service was made available to the general
public in 1967. At the time, exchanges of WATS numbers were associated with
exact geographic areas. For instance the (800)421-xxxx exchange was routed
to the 213 (now 310) areacode which is Los Angeles California. However,
using this type of routing calls proved to be bamb00zled, because for each
areacode, they needed an 800 exchange.

But after 15 years of scratching Ma’Bells head they decided to change
the way 800 service was set up. In 1982, a computer database was setup to
match the number called to its corresponding set of routing instructions.
Allowing overflow traffic on one companies WATS line to be routed to
another office location of the same company. At the time, this was an
engineering marvel, and Bellcore patted their heads and scratched their
tummys for many days, but possibly not in that order.

In 1984 after the breakup of the Bell System, Bell’s research and
development labs ‘BELLCORE’ assumed the allocation of 800 exchanges.
Then in 1986, Bellcore FROZE all but 35 of AT&T’s 800 exchanges.
The frozen exchanges could not be assigned unless AT&T demonstrated that
70% of all its exchanges were being used. Since 1986, Bellcore has
unfrozen quite a few exchanges to supply the demand of the booming WATS
market. In the ‘WATS’ program, 65 of AT&T’s 800 exchanges are shown as
‘assignable’ and 116 exchanges are shown as ‘frozen’. Those two numbers
correspond to the original 181 geographic exchanges that were in effect
in 1982.

In 1987, Microwave Communications Inc. (MCI) became the first WATS
carrier to directly compete with AT&T in that market. Since then
many companies from US Sprint to Joe Shmo’ and his sister Ho, have started
their own WATS service. Currently, companies wanting to offer 800 service
are assigned an exchange by Bellcore. For instance, if you were to dial
(800)286-xxxx it would be routed to the equipment owned by Southern New
England Telephone.

Mathematically, there are 1000 different exchanges which can be
issued, and there are 10,000 different numbers per exchange. This creates
a grand total of 10 million possible WATS telephone customers. However,
only 80% of those 10 million are ‘usable’ combinations. Those exchanges
that have been deemed unsuitable by Bellcore are any exchanges that start
with 0 or 1, and 211,311,611, and 911 etc. As of this writing only 180
suitable and assignable exchanges remain at Bellcore’s dispensory.

Exchanges assigned by Bellcore do not neccesarily have to be in use.
Sometimes companies are assigned WATS exchanges, yet they have not even
begun operations. In other cases, firms may have merged or terminated
operations and their numbers have not been reassigned at publication time.
Some unused exchanges DO NOT appear in the program as even being assigned.
One small detail is that it is possible for a corporation to be assigned an
exchange and use it exclusively for its own use, rather than selling long
distance time on it.

900 BACKGROUND
————–

The 900 areacode was the first Pay-per-Call / Pay-per-Minute
type of service available to the public. In 1987, the first 900 exchanges
were opened assigned to companies wanting to compete with AT&T. Telesphere
became the first company to offer competing service with AT&T. The assignment
of 900 exchanges is similar to the assignment of 800 exchanges. Because 900
service is still in its infant years (on a Bell scale) not very many exchanges
have been assigned, and those that have been assigned, have not yet begun
service.

INSTRUCTIONS
————

Using WATS is simpler than hacking a Unix, even your crippled
grandmother can use it! For instance, I just got a PBX from some k0de d00d
and I want to know the possibilities of getting busted when I call all my
k-rAdIkal phriends to let them know I just got a k0de. So I check out the
PBX number (800)255-8415 (Actually the National Security Agency). Since
its an 800 number, the first argument on the command line is an ‘8’. The
exchange is 255 and it is the last argument on the command line. You would
type:

——-
[C:\] wats 8 255

WATS v1.0 – 800/900 Exchange Database
Written by Professor Falken & The Aptolcater
Copyright (c) 1992 – Released 8/19/92

Calls placed to (800)255-xxxx are routed through AT&T-C’s Assignable equipment.

[C:\]
——-

This means that the 255 exchange is owned by the AT&T Company, and its
assignable. Doesn’t need much decipherment does it?

To find out who owns a 900 fuckshop exchange, its basically the same as the
800 search. I take my number (900)468-3825 (900-HOT-FUCK) and:

——-
[C:\] wats 9 468

WATS v1.0 – 800/900 Exchange Database
Written by Professor Falken & The Aptolcater
Copyright (c) 1992 – Released 8/19/92

Calls placed to (900)468-xxxx are routed through US Sprint equipment.

[C:\]
——-

Why you would want this type of 900 information, I do not know. Unless you
were going to social engineer yourself a free phone orgasm. Anyhow, this
information is included anyway…

If you ever forget how to run the program just type:
——
[C:\] wats

——

And at the prompt and you will get a quick-usage screen which hopefully
will be helpful, if not you must have the IQ of a retarted lineman- Please
go back and review your 3rd grade homework again.

CONCLUSION & GREETS
——————-

This is the ending of the docs for WATS if there are any bugs or any
questions, I can be reached on the following boards:

806-793-4616 Celestial Woodlands
602-894-1757 UPT Private

Or if you prefer, I can be reached at the following:

Internet: pfalken@mindvox.phantom.com

Of course this documentation would not be complete without the legals…

—————————————————————————-
All company names listed within the WATS program and this document are
registered trademarks. The manner in which they are given here is the way
they are shown in FCC / Bellcore records. This may vary to one extent or
another from their full, official, or corporate names.

The information herein was believed to be complete and correct at
publication time, but is subject to change. The writers assumes no
responsibility for the uses to which this information may be put.

Any relation to persons living or dead is purely coincidential.
—————————————————————————-

Greetings go out to: All X-LOD/H members, X-Phortune 500 members, DPAK,
Neon Knights, Bellcore, Cult of the Dead Cow -cDc- (what happened to Black
Sept again?), Phrack Magazine, 2600 Magazine, Mondo 2000 (RU Sirius/Queen B
your mag is turning lame), Lex, The Ronz!(haha), Red Rebel, The Rebel (718),
Agent Steal, Taran King, Knight Lightning, Doctor Dissector & KC,
Prometheus-BRUTE!, Anarchy, Wintermute, Dr. Cyclops, PJ, Digitone Cypher,
Luis Cipher, INVALiD MEDiA, The VIZ, Twisted Sector, The Ranger, and
Psychedelic C00kie.

Many thanks to The Aptolcater! Later all…

Professor Falken
X-Legion of Doom Hackers!
X-Phortune 500

WATS v1.0 – 800/900 Exchange Database
Written by Professor Falken & The Aptolcater
Copyright (c) 1992 – Released 8/19/92




The top 25 *unbelievable* things in War Games, by TheCure (October 16, 1991)

From thecure@ee.mu.OZ.AU Wed Oct 16 21:41:09 1991
From: thecure@ee.mu.OZ.AU (TheCure)
Newsgroups: rec.humor,aus.jokes,ee.general,decr.chat
Subject: *WAR GAMES* – Top 25
Date: 10 Oct 91 05:17:13 GMT
Organization: Royal Australia electronic Wrestling Association – Network ( RAeWA )

————————————————————————-
-=[ The top 25 *unbelievable* things in War Games ]=-
————————————————————————-

[1] 15 digits to dial a local number? He dials 15 digits to connect
to his school computer. Sounds the recordings studio went a bit
over board with the sound effects…

[2] The modem carrier tones. Really… Beeeeeep Beeeeeeeep Slllllh is
normal. Not “diddly-de-duh” “diddly-de-duh” Again, the public wants
cool noises, not the real thing…

[3] The time taken to establish carrier. Really, hear the tone – and
pmf! You’re on? Handshaking? Anything? Naaah..

[4] This is a beauty. He connects using a 300bps modem, and then gets
the information on his screen at real time! Where can I get one
of these?

[5] A tiny technicality. I think the movie was made in 1982. (yes/no?)
Anyway – he frequently uses full screen editing. Something that
didn’t really appear until vi hit the screen. (remember the curse
of edlin?)

[6] He *always* takes the correct disk from the shelf. Always. He has
tonnes of 8 inches around the place, but always takes just one
from the shelf, and it’s always the right one. Really..

[7] During his demon-dialling, he has the most fantastic modem detector.
Not only does it detect carriers, it detects busy signals, *and*
voice, all within half a second! Wow. (Want this as well!)

[8] The *classic*. He attack dials with an acoustic coupler. How the
hell is this possible? Really. And why did he bother to dial
the first number in his demon list?

[9] A tiny glitch. At one stage he’s playing galaga (for the second
time) – and he’s “doing well” with 3 lives left. He dies, and
pmmf! All his lives are gone, and he says he’s owed a quarter
for the game.

[10] Whilst he’s attack dialling, he picks up the acoustic coupler,
shows it off (to show what’s it’s doing) – but the modem just
keeps on going. What a clever little modem.

[11] A dream this one. He calls a computer, is given a LOGON prompt
(nb , not login:) – and manages to get information from WOPR
without being logged on as any one. Wouldn’t that be nice?

[12] During his elite hacking, he asks for the printer to be turned
on so he can get a hard copy. But! There is no noise! None!
A silent dot-matrix printer! (or perhaps daisy-wheel! gasP!)

[13] I wish I had a terminal like him. He connects at 300bps, and
manages to get fantastic graphics up on the screen , on
a tty terminal!

[14] While he’s playing with WOPR (the 1st time) he decides to
turn off his computer. By flicking one switch, he manages
also turn off every screen at the Defence Center! Gosh,
does that mean when I turn off my computer without logging
off, the other computer dies as well????

[15] How is it that WOPR is able to trace where he lives, when even
the telephone companies are unable to do it? Sheeeze, really..

[16] He disconnects his computer frow WOPR (only a terminal remember)
closes the phone line, yet the clock still counts down the time
on his terminal (with a great deal of background ooooooohhs).

[17] How is it that the most top secret military installation allows
visitors to walk around on guided tours of it? really….

[18] Another amazing feat, the “voice-synthesiser” he has in his
bed room suddenly appears in the defence headquaters. And
anywhere else he happens to be. Wow! That’s a loud voice synth.

[19] They apparently scramble f16’s , but it’s actually two f15’s that
take off into the air..

[20] As they’re running around on the island away from Falken’s place,
before the helicopter arrives, the island is *bathed* in light.
Where from ? Amazing…

[21] Look out DES. As WOPR is sprinting the launch password, it finds
once character at a time! How long did it take to find the last
character? Aaaaaaages. How long does it take to go through the
alphabet?

[22] As he’s playing tic-tac-toe, the game gets faster, and faster,
etc, and actually *drains* power to help WOPR think. I know
for a fact that my lights dim when it comes to number
crunching ….. 🙂

[23] That woman taking damn notes from WOPR. Why? What is her job
title? The “offical-watch-the-flashy-lights-on-wopr” job?

[24] After all the lights and everything gets really flashy, the
place is still in darkness. After the lights have blown, WOPR
manages to turn all the lights back on!

[25] The little clock on the side of WOPR only turns on when someone
is looking at it? Wow! How about that for reliable!

——————————————————————————-
__ __ __ __ __
/ /_/ /_ / / / /_/ /_ On candystripe legs the spiderman comes
/ / / /_ /_ /_/ / \ /_ Softly through the shadow of the evening sun
——————————————————————————-
thecure@ee.mu.oz.au thecure@ecr.mu.oz.au thecure@phoenix.pub.oz.au
——————————————————————————-

__ __ __ __ __
/ /_/ /_ / / / /_/ /_ On candystripe legs the spiderman comes
/ / / /_ /_ /_/ / \ /_ Softly through the shadow of the evening sun
——————————————————————————-

Hacking the Wang OS, by Dark Knight

Unauthorised Access UK 0636-708063 10pm-7am 12oo/24oo

%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+
%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+
%+% GAINING ENTRY +%+
%+% – +%+
%+% HACKING THE WANG O/S +%+
%+% – +%+
%+% BY +%+
%+% THE DARK KNIGHT +%+
%+% – +%+
%+% 14/4/90 +%+
%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+
%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+

DISCLAIMER:

The author takes no responsiblity for, nor does he assume any liability for,
damages resulting from the use of information in this document. This
document is for informational purposes only.

INTRODUCTION:

In the world as we know it WANG mainframes are in general use with many of
the largest companies trading today.

WANG has long boasted that their mainframes are one of the most secure
systems availible and in a bid to make this fact more valid they decided to
create what they thought was the most advanced and secure operating systems
availible for their machines.

WANG set out to make the operating system uncrackable by the hacker as we
know it. They decided that if the hacker could not get past the user id
and password he would be foiled, so the clever systems programers decided
that they would create the most elaberate encrypting routines possible for
the user ids and passwords, and this is exactly what they did!

CRACKING THE PASSWORD:

Say for example you wished to modify a wardialer program to find the
password for you… Taking the password to be six characters long, mixed
uper and lower case and no numeric characters. The wardialer makes a call
every 18 seconds on average and taking 10 seconds for three tries at the
password, running 24 hours a day, 7 days a week, 365 days a year, the
wardialer would take a maximum of 112 years to find a correct password!
This is assuming you have a valid user id to begin with! This is not
really what the hacker wants to hear, is it?!

Unfortunately there is also no guest or visitor id’s availible on the
system so you can’t drop into the operating system and take a look around!

GETTING IN:

It looks like WANG did a good job then doesn’t it! Well not quite! A few
bugs have managed to creap through, aiding the hacker. For example some
nice systems programmer left a back door in the operating system!!

With the relevant user id and password the hacker has access to the system,
but at this level you can’t really do much, certainly not play with the
hardware or jump to other systems, or can you? You can only run a few
applications, not much to write home about you may think, things like
documents and the odd file display program! Rooting about in a directory
called SYS or SYSTEM you may come across a file called USERLIST or
something similar (The file names are always eight characters long) Every
system has a log of its users, id’s and passwords. Not much use you may
think as the id’s and passwords have been encrypted by the system. This
was the major cockup on the part of WANG. The only thing they did not
encrypt was the user list!!!

Logging on under the user id of CSG (Computer Services Group) and using the
password SESAME takes you into the system, via the back door! At this
level you can run a program called DISPLAY to print up the userlist, non
encrypted! Capturing the user id’s and passwords as they flood up the
screen you can enjoy them in the comfort of your own home! Every user on
the system will be in the list, including the system managers and
engineers!!

O/S USERS:

So now you know how to gain full access to the system you may want to know
who uses it!

There are hundreds of user worldwide and these include: FORD, VIKING
INTERNATIONAL (Travel Company), and the worlds largest DRUG MANUFACTURING
COMPANY (Have a guess!! – Not ICI -) There are many more, more details
availble from me on request.

Many governments use the system, but have had the back door erradicated
during security checks, so don’t expect to gain access to those machines!

%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+
% This document was written by The Dark Knight.+
% Contact me on ANGEL BBS – 0772 795476 24hrs. +
% or on EQUALISER BBS – 0923 662127 24hrs. +
%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+%+

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+Sysops: Feel free to place this on your download section, but please ensure+
+that this document and credits remain intact and unchanged. Thank you. +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
�������

Downloaded From P-80 International Information Systems 304-744-2253

Hacking the Wal-Mart Armorguard Computer Protection System

HACKING THE WAL-MART ARMORGUARD
COMPUTER PROTECTION SYSTEM.

***NOTE***
To use this, you must have a system disk (i.e. a disk that has been
formatted using [format a: /s]) in 3.5″ format under Windows 95, because that
is what they sell all of their computers with.

***NOTE***
In this file, instructions to be input into the computer are surrounded
by [ and ]. Keys are surrounded by < and >. So if I say “hit [] I
mean to hold down the control button and hit F1.

The armorguard is a program that prevents you from writing to the
directories, changing the attributes of files, and deleting files. It
basically prevents you from doing anything cool.

The first thing to do is to go into Wal-Mart. Now, go to the
computer section and turn off the screen saver. Shut down as many apps as
you can with the [] and then choosing a program and
hitting enter. You cannot simply do this to the ArmorGuard program.

The next thing to do is to go to the DOS PROMPT. Most Wal-Marts
take the mouse ball out of all of the display mice to make it harder to
control the system. If you are adept at putting your finger inside the mouse
and controlling it that way, fine. Otherwise, just hit [].
This activates the start menu. Select “Programs”, hit enter, then go down to
near the bottom of the “Programs” menu and select “MS-DOS PROMPT”. Hit enter.

Now you are in a DOS window and in the C:\Windows directory. Hit
[cd..] and then hit [fdisk /mbr], which restores the master boot record,
preventing the password prompt from coming up when you reset the computer.

Now just hit [] twice (once gets you to task manager,
twice reboots) and wait. When you see

Starting Windows 95…

on the screen, hit [] really fast just once, then choose “Verify
each step” (or something to that effect), usually choice number 4. It will
give you an A: prompt and say “Please give the path of your command interpreter,
i.e. C:\WINDOWS\COMMAND.COM”. At this point, put the system disk you have
made in the drive and hit [A:\COMMAND.COM]. Say “Yes” to everything except
the following:

Log this bootup? (Bootlog.txt)? (y/n)
C:\armguard.exe? (y/n)
(***OR ANYTHING ELSE STARTING WITH “C:\ARM”, LIKE “C:\ARMOR”,
for instance.)

If you have done this right, ARMGUARD SHOULDN’T COME UP AT ALL. If
it does, hit “command prompt only” instead of “Verify each step” and then
specify C:\AUTOEXEC.BAT and C:\CONFIG.SYS if it asks for the configuration
and the startup file. (IN THE OPPOSITE ORDER. CONFIG.SYS IS THE CONFIG FILE,
AUTOEXEC.BAT IS THE STARTUP FILE.) Then immediately hit [] and it will
give you step-by-step confirmation for each item. See above for the ones
to say no to. Then you want to hit

[C:\WINDOWS\COMMAND\EDIT.COM C:\WINDOWS\WIN.INI]

and the DOS edit program will come up. Choose “Search” and hit “Find” and
then tell it to find ARM and make sure it’s NOT on match whole word only.
Delete any line with ARM in it that looks like a part of ArmorGuard. This
should prevent it from coming up on Windows.

*******IF NONE OF THIS WORKS, YOU HAVE TO TAKE THE READ-ONLY AND ARCHIVE
ATTRIBUTES OFF OF THE WIN.INI, SYSTEM.INI, AUTOEXEC.BAT, AND CONFIG.SYS FILES
BY HITTING [ATTRIB -A -R (c:\WHATEVERFILE.YOUWANTTODOTHISTO)]

*******I’D ALSO RECOMMEND EDITING THE AUTOEXEC.BAT FILE TO PREVENT ARMGUARD
FROM EVER COMING UP AGAIN.

****************THINGS TO DO AFTER HACKING ARMORGUARD***********

Hmmm….
USE YOUR IMAGINATION!

Think of this: Hit “shut down in MS-DOS mode” or start up in MS-DOS mode,
put your boot disk in drive a: and hit the following commands

[A:]
[FORMAT C:]

and then confirm this. You have just started the permanent erasing of
EVERYTHING on the hard drive. You can also do some other cool stuff with
it too, just basically IF YOU WOULD DO IT TO SOMEONE YOU HATE, DO IT TO
WAL-MART. Personally, I’d think that INSTEAD OF ERASING THE HARD DRIVE, I’D
WRITE A VIRUS AND PUT IT ON THE COMPUTER. THAT WOULD REALLY BE MORE FUN.
JUST STORE IT ON A FLOPPY AND COPY IT.

HAVE FUN, DON’T GET CAUGHT.
SINCERELY,
KwAnTAM_PoZeEtrON

The VT Hacker #3, by The Mad Hermit

Well, it’s time for yet another installment in Virginia Tech
hacking. Yes, it’s…. VTHACK #3!!!! Brought to you by the
Mad Hermit and crew. This time, we’re going to focus on the OTHER
big network on campus: LocalNet. LocalNet (L-Net) has been around
for a much longer period of time, and as such has quite a few more
caves and back alleys to explore. Its main purpose is to connect
the faculty and grad students directly to mainframes, and thus
much of what is found when poking around are login prompts. An
aggrivating factor that has been added to this is the inclusion of
“Port Servers” (PS’s). You know when you’ve hit a PS when L-Net
tells you you’ve connected, but no key that you press has any
effect. The purpose of a PS is to act as a deterrent to hackers.
It also might have the additional function of baud rate detection,
but though it sounds logical, we haven’t found out for sure. We
must admit that it does protect. The best way to keep system
crashers away is not to tell them what they’ve found through simple
redialing. This is a lot like keeping party crashers away by
saying that there’s a party going on at a certain place, but not
telling them who’s invited or who’s giving the bash. Effective for
the dim-witted, impatient, and amateur party crashers, but not for
others.
PS’s sit and stare out at you until you start sending it
characters. If the first few aren’t the specific ones it’s looking
for, it will continue to gobble up everything else until you give
up and hang up. Typical PS “codes” are easy-to-remember sequences
like ‘ZZ’ or ‘ASDF’, and they then pass you on to the main login
prompt. These “codes” aren’t like passwords, since the added
access they give you isn’t worth beans unless you’ve got a line on
where to go from the login prompt. However, we here feel that
information like that is in fact “restricted” in that you are
gaining unauthorized additional access to systems. As such, we’ve
decided to leave the fun of figuring them out to those interested
in such weekend diversiions.
Before we give you what you’re probably waiting for: neato
numbers to call on L-Net, we’d like to explain stuff. First, this
isn’t a complete list, nor could it really be. L-Net addresses are
in Hexidecimal and range from 0000 to FFFF. That’s 65536 different
possibilities. We only went through ten thousand of these, and are
only listing those that got any response. Second, L-Net addresses
may connect to any number of ports, but we haven’t seen any more
than 4 or 5. Thus, the total possible connections assuming an
average of 2 ports per connection and an average of about 15
connections per thousand addresses comes to just under 2000.
Assuming this is correct (very doubtful), finding where these are
is quite a task. Third, and on the positive side, some connections
open up large worlds of access. These unpassworded gateways are
known as servers, and typically are DECservers. The biggest and
most notorious is listed at 0358 and can handle a max of 128 users.
You can use these servers to connect to multiple computers at once,
and have extensive help files telling you what to do. Fourth, and
also on the plus side, L-Net doesn’t kick you off. Ever. Multiple
redialing is the name of the game, and listed below is a Red Ryder
script that works under version 9.4 that dials consecutive integers
at a rate of about 40 a minute. Fifth and finally, bum connections
don’t just leave you in the cold. Hitting CONTROL-A twice pops you
immediately into local mode, where a STATUS tells you where you are
connected, and a “DONE X” will disconnect you from session number
X. Calling, by the way, is done by typing “CALL XXXX[,P]” where
XXXX is the hex address, and P is the optional port number, which
is seperated by a comma.

Red Ryder 9.4 Local-Net Scanner Script.

COPYINTO ~8,ENTER NUMBER TO START AT
(GET1)
QUERY1 ~1
EMPTY ~1
IF YES JUMPTO (GET1)
LET EQUAL `1,~1
LET EQUAL `3,`1
COPYINTO ~8,ENTER LENGTH OF SEARCH
(GET2)
QUERY1 ~2
EMPTY ~2
IF YES JUMPTO (GET2)
LET EQUAL `2,~2
ADD `3,`2
COPYINTO ~3,`3
SUBTRACT `1,1
(NEXT)
ADD `1,1
TEST `1=~3
IF YES JUMPTO (QUIT)
TYPE Call
TYPE `1
TYPE ^M
ALERT1 UNIT/JUMPTO (NEXT)
ALERT2 BUSY/JUMPTO (NEXT)
PANICAFTER 10
PROMPT CONNECTED
PAUSE
BELL
BELL
BELL
BELL
JUMPTO (QUIT)
(QUIT)
END

And here’s what our illustrious, untiring crew have discovered:

Node Port# What
—- —– —-
0008 1
0074 0,1 VTME (Mechanical Engineering)
0116 0,1
0124 0,1
0126 0,1
000A 1
000B 0,1
000C 0,1
000E 0,1
00FF 0,1
0170 0,1
0175 0,1 Popeye (Computer Science)
0350 0 VTCC1
0351 0,1 ” ”
0352 0,1 ” ”
0354 0,1 ” ”
0355 1 ” ”
0356 0,1 ” ”
0357 0,1 ” ”
0358 0,1 DECServer 500
0359 0,1 DECServer 500 (same as above, different port bank)
0400 0,1 VTME (again)
0401 0,1 ” ” ”
0402 0,1 ” ” ”
0403 0,1
0404 0,1 VTME (yet again)
0405 0 ” ” ” ”
0450 0,1 DECServers (see note 3)
0451 0,1 ” ” ”
0452 0,1 ” ” ”
0453 0,1 ” ” ”
0454 0,1 ” ” ”
0455 0,1 ” ” ”
0536 0,1
600-601 “Remote Ports Busy”
603-607 “Remote Ports Busy”
1010 0,1
1100-1103 “Remote Ports Busy”
1300 0 VTVM1
5100 1 VTVM1
5300 0,1
5500-5503 “Remote Ports Busy”
5510 0,1
5512 0,1
5514 0,1
5516 0,1
5518 1
5530 0,1
5534 0,1
5536 0,1
5548 0,1
5548 0,1
5550 0,1
5552 0,1
5554 0
6000 1
6002 0 Node[20] (see note 1)
6003 0,1
6100-6103 “Remote Ports Busy”
6200 1 Node[2] (see note 2)
6230-6231 “Remote Ports Busy”
6300 0,1
6301 0,1
6302 0,1 Node[2] (see note 2)
6303 0
6410 1
6414 0
6419 1
6420 1
6428 0,1
6429 1
6433 0
6437 1
643A 1
643B 0
6502 0 VTVMS
6503 0 ” ”
6504 0 ” ”
6505 0 ” ”
6506 0 ” ”
6507 0 ” ”
6508 0 ” ”
6509 0 ” ”
8001 1
8002 0
8003 0
8004 0,1
8005 0
8006 1
8007 1
8008 0
8009 0
8080 0,1
9000-9016 “Remote Ports Busy”
9018-9019 “Remote Ports Busy”
9302 0
9300 0,1,2,3,4

Notes:
——
1) Node[20], popularly known as the Node Router, went out of
services shortly after VTHacker #2 was distributed. Apologies
are NOT extended to those who assumed that the list in VTHack2
was gospel. Things change all the time, and those things that
are especially good tend to go away. Apparently, number 40062
was used by CNS’s chief diagnostician as a way to test the VA
Council of Higher Education’s access to the Net and L-Net.
Poking around there was terminated, but our scan of L-Net turned
up another way in…

2) If you wondered why the Node Router was labelled “20” (really,
what happened to the other 19?), then this might clear things up.
The following connections were observed:
Node What
—- —-
0 Passworded
1 L-Net
3 the Net
5 Passworded
6 Passworded
9 Dead End
10 Dead End
12 L-Net
20 Restricted (*)

*) This did connect you to a really screwed up L-Net port, which
continually spewed out garbage and error messages, but we think
our poking around in it got it shut off, due to the incredible
quickness with which it was restricted (we were still on-line!)

3) Ah, what a joy it is to explore, and find a pristine cavern
laden with sweet delight, and a menu to boot! Well, what I’m
talking about is BAMBI and THUMPR, two side-by-side DECServers.
Calling the listed numbers with port 0 gets you BAMBI, and using
port 1 gets you THUMPR. In our experience, nobody has ever been
dumped for staying on too long, and though the computers you can
connect to aren’t all that interesting (all Mechanical Engineering)
the services and privileges allowed to ordinary users is about
as generous as possible. The listings that follow are vebatim
text sent by the servers, and we think that you’ll be able to
figure out what’s going on.

DECserver 200 Terminal Server V2.0 (BL29) – LAT V5.1
AMDF Network – Server BAMBI

Please type HELP if you need assistance
Enter username> Jack Meoff

Local> show nodes all

Node Name Status Identification

BAMBI Reachable AMDF Network – Server BAMBI
BERT Reachable AMDF VAXstation I (VMS 4.2)
ERNIE Reachable AMDF VAXstation I (VMS 4.2)
POOH Reachable AMDF MicroVAX II (VMS 4.6)
SPOCK Reachable ZONIC Lab VAXstation 2000 (VMS 4.6)
SULU Unreachable AMDF Cluster VAXstation 2000 (Color)
THUMPR Reachable AMDF Network – Server THUMPR
UHURA Unreachable AMDF Cluster VAXstation 2000 (B & W)
VTME Reachable ME VAX 11/780 (VMS 4.4)
VTMEX Reachable AMDF Cluster VAXserver 3600 (VMS 4.7)

Local> show ports all

Port Access Status Services Offered

1 Dynamic Idle ��
2 Dynamic Idle ��
3 Dynamic Local mode ��
4 Dynamic Idle ��
5 Dynamic Idle ��
6 Dynamic Idle ��
7 Dynamic Idle VTLAN��
8 Dynamic Idle VTLAN�

Local> help

HELP

The online HELP facility allows you to access reference and tutorial information about the DECserver 200. Choose one of the following options:

o Enter TUTORIAL to see a succession of HELP frames with “getting
started” information on basic DECserver functions (for beginners)

o Enter HELP for full information on how to use the HELP facility

o Choose a HELP topic from the following list:

BACKWARDS FORWARDS RESUME
BROADCAST HELP SET
CONNECT LIST SHOW
DEFINE LOCK TEST
DISCONNECT LOGOUT

Topic? list

LIST

Use the LIST command to display information from the permanent database.

LIST option

The option value is a topic about which you need information.

Additional HELP is available for the LIST options:

PORTS SERVER SERVICES

LIST Subtopic? server

SHOW/LIST SERVER

Use the SHOW SERVER command to display information about the current
operational state of the server. Use LIST SERVER to show values for the
permanent server characteristics.

Command formats:

SHOW SERVER [CHARACTERISTICS]
[COUNTERS ]
[STATUS ]
[SUMMARY ]

LIST SERVER [CHARACTERISTICS]
[SUMMARY ]

The default option for SHOW/LIST SERVER is CHARACTERISTICS.

Additional help available for:

CHARACTERISTICS COUNTERS STATUS SUMMARY

SHOW/LIST SERVER Subtopic?

LIST Subtopic?

Topic? show

SHOW

Use SHOW commands to display current status or information from the server’s
operational database.

SHOW option

The option value is the topic about which you need information.

Additional HELP is available for the SHOW options:

NODES PORTS QUEUE SERVER SERVICES SESSIONS USERS

SHOW Subtopic?

Topic?

Local> show server

DECserver 200 V2.0 BL29 LAT V5.1 ROM BL20 Uptime: 6 08:14:20

Address: 08-00-2B-0B-C4-EA Name: BAMBI Number: 0

Identification: AMDF Network – Server BAMBI

Circuit Timer: 80 Password Limit: 3
Console Port: 1 Queue Limit: 24
Inactivity Timer: 30 Retransmit Limit: 8
Keepalive Timer: 20 Session Limit: 64
Multicast Timer: 30 Software: PR0801ENG
Node Limit: 100

Service Groups: 0�

Enabled Characteristics:

Announcements, Broadcast, Dump�

Local> help

Topic? tutorial

TUTORIAL HELP

LOGGING INTO THE DECSERVER
To login to the DECserver you may be required by your server manager to enter a login password. If you are not required to do so, go on to the next screen. If you are, here are the steps to take to log in.

1 Press twice; a number sign (#) appears along with an audible “beep”.

2 Enter the login password. (You get the password from your server manager.)
For example, to log in with the password A1B2C3…

enter twice

# A1B2C3 type the password (which is not echoed)

3 If you make a mistake, the prompt reappears (and the “beep”) to let you try again. You have several chances to enter the correct password.

4 If you use a dial-in modem, you have 60 seconds to respond to the # prompt with the correct password. If you don’t, the server disconnects your modem.

If you do not need to enter a login password, press twice to log into
your DECserver.

When you log in, an introductory line of text appears…

DECserver 200 Terminal Server V1.0 (BL20) – LAT V5.1

If your port does not have a permanent username defined, enter your name (1 to
16 keyboard characters) after the following text appears…

Please type HELP if you need assistance

Enter username>

The Local> prompt appears after you type your username.

If your port does have a permanent username, here’s what you see…

Please type HELP if you need assistance

Local>


USING ONLINE HELP
Online help is documentation about DECserver commands that is
stored in server memory. You can see this documentation
interactively on your terminal while you are using the DECserver. The HELP command gives you access to online help. You
can use it in two ways:

You can type HELP at the Local> prompt…

Local> HELP

This generates a succession of HELP “frames”, “menus”, and prompts.
Frames are made up of the information that can fit on one or more
terminal screens. Menus are lists of topics you can choose from.

Alternatively, you can specify topics and subtopics when you
enter the HELP command. For example…

Local> HELP SET PORT

This command produces online documentation that describes the SET
PORT command.


SOME DEFINITIONS
The primary function of the DECserver is to allow you to connect to “services” offered on your network. A service can be a computer system that you can use just as though your terminal were attached directly to the system, or it can be a function offered by such a system. In addition, services can be set-up to
allow access to printers, dial-out modems, personal computers and terminal switches. To connect to a service, you only need to know the service name.

A “service node” is a computer system or server that offers services.

A “session” is a connection to a service. You can have one or more simultaneous sessions with one service, or more than one service. The connection you are using at any one time is called your “current session”. Your other sessions are inactive, but can be resumed by using server commands or session switches.

“Service mode” is your environment when you interact with a service. For example, if the service is a computer system, your environment is the same as a terminal directly wired to the system. You can all use the system’s commands and resources.

“Local mode” is your environment when you interact with the DECserver using commands entered at the Local> prompt.


CONNECTING TO A SERVICE
Use the local mode SHOW SERVICES command to display a list of services you can use.

Local> SHOW SERVICES

To connect to a service (establish a session with the service) enter the DECserver CONNECT command with the name of the service you want. For example, for a service called SALES, enter the following command:

Local> CONNECT SALES

This command places you in service mode in an active session with the service SALES.

RETURNING TO LOCAL MODE FROM A SERVICE SESSION
To return to local mode without ending your session, press or press your local switch character. Both these characters are, in effect, DECserver commands that instruct the server to go back to local mode.

The character must be set up to permit this (by default it is), and the local switch character must be defined (by default it is not).

Use the HELP command for more details on setting up the character and local switch character.

NOTE

Some modems interprets the character as a command to end
your dial-in connection. If you are using one of these modems,
do not use to return to local mode.

Your session, now inactive, is still your current session because
it is the session your were using most recently.

RESUMING YOUR SERVICE SESSION FROM LOCAL MODE
To resume your current session (and service mode) while your are in local mode, enter the DECserver RESUME command.

Local> RESUME

You go back to where you left off when before returning to local mode.

DISCONNECTING FROM A SERVICE
To end your current session while in service mode, use the command that terminates whatever process you are using. For example, you can terminate a session on a VAX/VMS system by typing the VMS LOGOUT command. Refer to the documentation for the service node that offers the service.

To end your current session while in local mode, enter the DECserver DISCONNECT command.

Local> DISCONNECT

You cannot resume a service session after you end the connection with DISCONNECT.

CONNECTING TO A SECOND SERVICE
The DECserver allows you to have several sessions at one time, to the same or to different services. To connect to a second (or subsequent) service, simply enter another CONNECT command from local mode, specifying the name of the service. For example, to connect to the service PRODUCTION, enter the following command:

Local> CONNECT PRODUCTION

To resume one of your non-current sessions, use the FORWARDS command to switch to your next session, or the BACKWARDS command to switch to your previous session. Alternatively, you can use the RESUME command and specify the session
number. You can find this number from the SHOW SESSIONS display:

Local> RESUME SESSION 2

To disconnect a particular session, use the DISCONNECT command and specify the session number. For example:

Local> DISCONNECT SESSION 1

LOGGING OUT OF THE DECSERVER
To logout from the DECserver, enter the DECserver LOGOUT command (in local mode).

Local> LOGOUT

LOGOUT disconnects all sessions. A DECserver message appears verifying the logout.

The next batch of stuff comes from DECServer 500:

Local> show users

Port Username Status Service

5 LC-1-5 Connected VTCC1
6 LC-1-6 Connected VTCC1
7 LC-1-7 Connected VTCC1
8 LC-1-8 Connected VTCC1
34 LC-3-2 Connected VTCC1
53 LC-4-5 Local Mode
67 LC-5-3 Connected VTCC1

Local> show devices all

Device Device Port Device CSR Vector Total
Slot Name Type List Status Address Address Errors

1 CONSOLE DL 0 Running 177560 60 1
2 NETWORK DEQNA Running 174440 120 37
3 LC-1 CXY08 1-8 Running 160440 310 2
4 LC-2 CXY08 17-24 Running 160460 320 0
5 LC-3 CXY08 33-40 Running 160500 330 1
6 LC-4 CXY08 49-56 Running 160520 340 0
7 LC-5 CXY08 65-72 Running 160540 350 0
8 LC-6 CXY08 81-88 Running 160560 360 0
9 LC-7 CXY08 97-104 Running 160600 370 5085
10 LC-8 CXY08 113-120Running 160620 400 15

Local> show server

DECserver 500 V1.0 LAT V5.1 ROM V1.0.2 Uptime: 12 7:18:36
Address: 08-00-2B-0A-10-63 Name: CCSRV2 Number: 22
Identification:
Circuit Timer: 80
Password Limit: 3
Inactivity Timer: 2
Queue Limit: 8
Keepalive Timer: 20
Retransmit Limit: 10
Multicast Timer: 60
Session Limit: 256
Node Limit: 100
Service Groups: 0

Backup Hosts: None
Enabled Characteristics:
Announcements

Local> show services all

Service Name Status Identification

DCSSVX Unavailable VT CC DCSS VS2000 Ultrix 2.2/UNIX
DSW Unavailable VT CNS dataswitch
GOLEM Unavailable VT Mathematics VAXstation I VMS – Node
LAN Unavailable VT CNS LocalNet
MTHOPR Unavailable VT Mathematics VAXstation I VMS – Node
MTHSUN Unavailable VT Mathematics Sun 3/50 – MTHSUN
MTHUNH Unavailable VT Mathematics VS2000 Ultrix 2.2 – Node
MTHUNX Unavailable VT Mathematics VS2000 Ultrix 2.2 – Node
NFNITY Unavailable VT Mathematics VS2000 VMS – Node NFNITY
POPEYE Unavailable Systems Research Center VAX-11/785 SVR2/
QUANTM Unavailable VT Mathematics VS2000 Ultrix 2.2 – Node
VTAGE1 Unavailable Ag. Engineering MicroVAX II / MicroVMS V
VTCC1 6 Connected TechCluster – Node VTCC1
VTCPE1 Unavailable VT EE Department VS2000 Ultrix 2.2/UNIX
VTCPE2 Unavailable VT EE Department VS2000 Ultrix 2.2/UNIX
VTCPE3 Unavailable VT EE Department VS2000 Ultrix 2.2/UNIX
VTCPE4 Unavailable VT EE Department VS3200 Ultrix 2.2/UNIX
VTCS1 Unavailable Va Tech CS Lab: VMS Service
VTDAL3 Unavailable VT EE Department VS2000 Ultrix 2.0/UNIX
VTDAL4 Unavailable VT EE DAL VS3200 Ultrix 2.2/Unix
VTDAL5 Unavailable VT EE DAL VS3200 Ultrix 2.2/UNIX
VTDAL6 Unavailable VT EE DAL VS3200 Ultrix 2.2/Unix
VTHCL Unavailable Va Tech Human/Computer Interface Lab
VTMAP Unavailable CE-Geography SDA Lab -Node VTMAP – Micro
VTMATH Available TechCluster – Node VTCC1
VTMILO Unavailable Human/Computer Lab – VAXStation II
VTODIE Unavailable VT CS Department MicroVax 2000 Ultrix 2.0
VTSDA Unavailable Spatial Data Analysis Lab – Vax 11/785
VTUNIX Available VT CC VAX 11/785 Ultrix 2.2/UNIX
VTYR Unavailable VT Mathematics VS2000 VMS – Node VTYR
XPRT549 Unavailable Fifth floor printer

Local> show ports all

Port Access Status Local Services

1 Local Idle
2 Local Idle
3 Local Idle
4 Local Idle
5 Local Connected
6 Local Connected
7 Local Connected
8 Local Connected
9 Local Offline
10 Local Offline
11 Local Offline
12 Local Offline
13 Local Offline
14 Local Offline
15 Local Offline
16 Local Offline
17 Local Idle
18 Local Idle
19 Local Idle
20 Local Idle
21 Local Local mode
22 Local Idle
23 Local Idle
24 Local Idle
25 Local Offline
26 Local Offline
27 Local Offline
28 Local Offline
29 Local Offline
30 Local Offline
31 Local Offline
32 Local Offline
33 Local Idle
34 Local Connected
35 Local Idle
36 Local Idle
37 Local Idle
38 Local Idle
39 Local Idle
40 Local Idle
41 Local Offline
42 Local Offline
43 Local Offline
44 Local Offline
45 Local Offline
46 Local Offline
47 Local Offline
48 Local Offline
49 Local Idle
50 Local Idle
51 Local Idle
52 Local Idle
53 Local Idle
54 Local Idle
55 Local Idle
56 Local Idle
57 Local Offline
58 Local Offline
59 Local Offline
60 Local Offline
61 Local Offline
62 Local Offline
63 Local Offline
64 Local Offline
65 Local Idle
66 Local Idle
67 Local Connected
68 Local Idle
69 Local Idle
70 Local Idle
71 Local Idle
72 Local Idle
73 Local Offline
74 Local Offline
75 Local Offline
76 Local Offline
77 Local Offline
78 Local Offline
79 Local Offline
80 Local Offline
81 Local Idle
82 Local Idle ������������������������������������
83 Local Idle
84 Local Idle
85 Local Idle
86 Local Idle
87 Local Idle
88 Local Idle
89 Local Offline
90 Local Offline
91 Local Offline
92 Local Offline
93 Local Offline
94 Local Offline
95 Local Offline
96 Local Offline
97 Local Idle
98 Local Idle
99 Local Idle
100 Local Idle
101 Local Idle
102 Local Idle
103 Local Idle
104 Local Idle
105 Local Offline
106 Local Offline
107 Local Offline
108 Local Offline
109 Local Offline
110 Local Offline
111 Local ���Offline
112 Local Offline
113 Local Idle
114 Local Idle
115 Local Idle
116 Local Idle
117 Local Idle
118 Local Idle
119 Local Idle
120 Local Idle
121 Local Offline
122 Local Offline
123 Local Offline
124 Local Offline
125 Local Offline
126 Local Offline
127 Local Offline
128 Local Offline

Enough stuff, huh? Well, we’ve got MORE news. If you’re going to
poke around L-Net, the following numbers into L-Net have been known
to be dead (i.e. CONNECTED, but no response): 40499, 40507, 40482.

And here’s an update on VTHack #2’s list of Net numbers:
40600-40615 No Answer
40625-40656 Originate Only
40657 Not Accessable
40658 No Answer
40659-40686 Not a Dataline
40687 No Answer
40688-40690 Not Accessable
40691 1200 baud line
40692 No Answer
40693-40699 Not a Dataline

40700-40723 Connection Failed
40724 No Answer
40725-40799 VM/XA VT

40800-40817 VM/XA VT
40818-40833 Originate Only
40834-40837 Not Accessable
40838-40839 Originate Only
40840-40899 Not a Dataline

40900-40999 Not a Dataline

And what about the other 55 thousand L-Net addresses we didn’t try?
Hey, why don’t YOU try them, and then share the news…? We’re
already moving on to brighter futures in hacking, so stay tuned on
your local BBS or pass-the-disk network for: VTHacker #4 – Viruses,
reader response, Telenet, and more updates on previous info…

Downloaded From P-80 Systems 304-744-2253

The VT Hacker #2, by the Mad Hermit

VT Hacker #2

courtesy of
The Mad Hermit

Well, there’s some old news, so let’s get it out of the way. The Novice menu
stuff has changed slightly. Options 8-12 are no longer active. in addition,
poking around above there gives you a simple error message.

With that taken care of, we move on to:

——– COMMUNICATIONS NETWORK SERVICES ——–

There are ways to hack into this, but I’ll do an overview of general
info for those neophytes out there. CNS is running a ROLM phone system. Rolm
created a telephone system a few years back, and IBM used it for voice messages
& the like. It had bugs. It had security holes the size of Wisconsin. While
it lasted, phreakers had a free message and conferencing system that IBM could
do nothing about. IBM ended up buying out Rolm, and the company survived long
enough to put out a beta version of the current Tech system at the University
of New York.

Problems arose as the illustrious hackers there showed Rolm that gross
abuses of the system were possible. They showed Rolm the hard way.
The Pick-Up function which isn’t enabled on our system is capable of picking
up someone else’s phone, if you know their extension number. Devious people
were answering other people’s calls and transferring them to Topeka and other
parts unknown. If they were really cruel, they Parked them there. As far as I
know, just about all bugs left are harmless (well, mostly harmless). One thing
to note: whenever you call CNS, the phone you are calling from is displayed
immediately on a monitor in front of the operator.

The data line has a different story. Though a few bugs exist, they
aren’t exploitable. They merely irritate. Expect them to disappear soon, as
the technical people at CNS are very helpful and know what to do in most
circumstances. The “Call, Display, or Modify?” prompt is your ticket to fun
and weirdness. Normal functions include tweaking your dataline’s parameters
and speed, displaying commonly used services, and calling these services by
typing:
C VTLAN (or whatever name you want)

Recently, a hack was discovered at this prompt. All numbers that you
called from here went like this: #XXXX, where # is the start number, and XXXX
is the four-digit extension. Here is a list of current start numbers:

1 – On Campus (not hooked up yet. Will replace 961-XXXX)
2 – On Campus (normal dataphones)
3 – Long Distance
4 – Special
9 – Off Campus Local

The 4XXXX numbers are basically for CNS use, and for special mainframe
connections. If you call VTCOSY, for example, you get a message stating that
you are calling VTCOSY, and what modem number. These modem numbers can be
dialed directly, leading to some interesting discoveries. Scanning these
numbers without a program can be very time consuming, especially when you hit
several numbers that all connect to the same mainframe. In addition, every “No
Answer” takes one minute to do, because the Net waits that long before telling
you it hasn’t connected. Below, “Dead End” means that a connection was made,
but no keypresses have any effect.

40000-40049 Not A Dataline.
40050-40052 Not Accessible
40053-40055 Originate Only
40056-40057 Group Closed
40058-40059 No Answer
40060-40061 Originate Only
¥ 40062 Node Router (see below)
40063 Dead End
40064-40068 No Answer
40069-40071 Not A Dataline
40072 Not Accessible
40073-40089 Not A Dataline
¥ 40090-40093 VTLS
40094 No Answer
40095-40098 Connection Failed
40099 No Answer

40100 Not A Dataline
40101 No Answer
40102-40104 Dead End
40105-40113 No Answer
¥ 40114 CoSy Maintenance Port (00)
40115-40120 No Answer
40121-40132 Not A Dataline
40133-40134 No Answer
40135-40136 Even Parity lines (????)
40137-40141 No Answer
40142-40150 Not A Dataline
40151 No Answer
40152-40168 Not A Dataline
40169 Dead End
40170-40199 Not A Dataline

40200-40220 Originate Only
40221-40243 Not A Dataline
40244-40263 Originate Only
40264-40276 Not Accessible
¥ 40277 64000 BAUD !!!
40278-40281 Characteristics Mismatch
40282 Not A Dataline
¥ 40283 64000 BAUD !!!
40284 Originate Only
40285-40299 No Answer

¥ 40300-40306 VTVMS
40307 Not Functional
¥ 40308-40323 CoSy (02-17)
40324-40339 Busy
40340-40363 Not A Dataline
40364 No Answer
40365-40399 Not Accessible

40400-40403 Not Accessible
¥ 40404-40433 VTVM1
40434-40435 Not Functional
¥ 40436-40457 VTVM2
40458-40459 Not Functional
¥ 40460-40499 VTLAN

¥ 40500-40506 VTLAN
40507 Dead End
¥ 40508-40539 VTCC1
40540-40551 Originate Only
¥ 40552-40559 “Request:” (VTDSW)

40560 Connection Failed
¥ 40561-40567 “Request:” (VTDSW)
40568-40569 Not A Dataline

40570-40573 1200 BAUD lines
40574 Not A Dataline
40575 Busy
40576-40578 Dead End
40579 Busy

40580 No Answer
40581-40592 Originate Only
¥ 40593-40599 VM/XA VT

¥ 40600-40624 VM/XA VT
40625-40699 Not A Dataline

40700-40799 Not A Dataline

40800-40899 Not A Dataline

40900-40999 Not A Dataline

Note that these numbers can also be dialed on the voice line. Who knows WHAT
you’ll find…

You might notice that there are only 1,000 numbers of 10,000 represented.
If you find anything else above there, let me know. Finally, there are a
couple of ways to mess up your trail if you’re paranoid or just like feeling
secure. Call VTLAN, and then CALL 9000. This brings you back to the Net,
through a short loop. If you really want things messed up, call 9-232-2020.
This calls off-campus, then calls the link for getting back on the Net.
Enjoy!

The Node Router appears to be a CNS computer. The prompt is “Node[20] Enter
Destination:” and there are 64 numbers you can type in. Some have passwords,
some are dead ends, and others connect to other locations in the Net.

Here’s a list:

Passworded nodes: 0,32,50
Dead Ends: 3,4,22,28,33
Calls the Net back: 34
“Request:” prompt: 15
VTLAN: 1
Net/One: 27

The Net/One prompt is the most interesting thing found yet. It’s just about
the only friendly interface ever located in CNS’s part of the Net. You get to
look at various nodes in the Net, and make connections between lines.
Don’t get your hopes up, though. My sources have only found one open link,
but in order to figure out what it could do, they ended up closing it.

Here’s a list of the commands you get on the ‘help’ screen:

The Net/One commands are:
CONNECT Resource Name
GET Resource Name
LIST
RESUME Connection Number
ABANDON Connection Number
EXAMINE Resource Name
IDENTIFY Node ID
SET DISCONNECT /New Disconnect Sequence/
SET HOLD /New Hold Sequence/
SET ECHO ON or OFF
SET LINEFEEDS ON or OFF[ FOR ECHOES or INPUT or OUTPUT]
SET BINARY ON or OFF
SET FLOW NONE/CHARS/ENQ-ACK/SIGS/CTS-RTS/DSR-DTR/XON-XOFF[ NIU/DEVICE]
LOGOUT
QUIT

‘Get’ requests a particular line, ‘Connect’ opens it for use, and ‘Resume’
allows you to use it. The last command also seems to lock up the terminal…

When you ‘List’, you get something like this:

You are using port 4 of Net/One NIU-180 number 57106A, on network number 1.
Port 4’s name is “57106A4”. NIU 57106A’s name is “acc30”.

Connection 1 is unused.

Your Hold Sequence is: –none–
Your Disconnect Sequence is: OFF

The Net/One command editing keys are:
Cancel whole line: or ^ Delete last character: or ^h
Delete last word: or ^x Complete current word:
Repeat last line: or ^a

ECHO mode is turned OFF.
Automatic insertion of linefeeds after carriage returns is turned OFF.

Recently (as of 10/19/88), the number 40062 has gone out of service due to use
by certain individuals (heh heh heh). There is another way of getting to it,
which will be detailed in the forthcoming VT Hacker #3. The above data was
gathered using a script file for Red Ryder. Don’t try to comprehend what it
does. It works. The Net kicks you off after five unsuccessful attempts at
connection, making this simple incremental scanner procedure slow, and painful.
A scanner for LocalNet is in the works, and will definitely be faster due to
the unlimited tries LocalNet allows you. We’re looking for 20+ tries per
minute, but in the meantime, here’s the CNS-CBX scanner:

COPYINTO ~8,ENTER NUMBER TO START AT
(GET1)
QUERY1 ~1
EMPTY ~1
IF YES JUMPTO (GET1)
LET EQUAL `1,~1
LET EQUAL `3,`1
COPYINTO ~8,ENTER LENGTH OF SEARCH
(GET2)
QUERY1 ~2
EMPTY ~2
IF YES JUMPTO (GET2)
LET EQUAL `2,~2
ADD `3,`2
COPYINTO ~3,`3
SUBTRACT `1,1
(NEXT)
ADD `1,1
TEST `1=~3
IF YES JUMPTO (QUIT)
TYPE C
TYPE `1
TYPE ^M
ALERT1 THIS DATALINE/JUMPTO (NNUM)
ALERT2 NOT A DATALINE/JUMPTO (NNUM)
ALERT3 BUSY/JUMPTO (BUSY)
PANICAFTER 10
PROMPT CONNECTED
PAUSE
BELL
BELL
JUMPTO (QUIT)
(BUSY)
BELL
(NNUM)
ONPANIC JUMPTO (QUIT)
PANICAFTER 10
ALERT1 DISCONNECTED/JUMPTO (HOLD)
TYPE ^M
PROMPT MODIFY?
PAUSE
JUMPTO (NEXT)
(HOLD)
PAUSE
PAUSE
PAUSE
ONPANIC JUMPTO (QUIT)
PANICAFTER 10
TYPE ^M
PROMPT MODIFY?
PAUSE
JUMPTO (NEXT)
(QUIT)
END

Downloaded From P-80 Systems 304-744-2253

The VT Hacker, by the Man Hermit

The VT Hacker
by The Mad Hermit

Welcome to the first installment of the hackers’ corner. In this
“electronic magazine”, I will be speaking out on various issues relating to
computers, telephones, and other technological devices that have uses their
creators didn’t intend them to have. First, I would like to point out a
disclaimer. The information given here will NOT compromise the security of any
institution. It is NOT being distributed with the intent that it will be used
for illegal activities. I (and everyone else here) hereby take NO
responsibility if some mentally deranged person gets bad ideas from this and
does something dispicable. The information in this column will be just that:
freely available items of interest that have been collected from different
sources. Any nasty ideas coming from knowledge of this information are the
fault of the person(s) who read(s) it.

Now that I’ve gotten rid of that load, I’ll tell you about the format
I’d like to try to follow. Typically, I will have feature articles to start
things off. After the feature, I intend to have news articles of interest to
all computer owners, followed by reader mail as space permits. This time, I
have a crash course on the Tech (and other) library’s VTLS system including
some of the more esoteric functions available. These articles will more often
be written by me, but submissions are always welcome and WILL BE READ by me.
In future issues, I will talk about hacking on LocalNet, VMS/CMS, Unix/Ultrix,
BitNet, Pick, GTE’s TeleNet, and a Hewlett Packard system on which your high
school might still keep grades and records.

I would like to extend a call to all phreakers and hackers to send in
stuff about microcomputers, local BBS’s, and bizarre phone #s also.

And Now…………..VTLS – Virginia Tech’s Library Search Service

FIRST – the basic commands:
A/ = Author Search
B/ = Boolean Word search (Inaccessable)
C/ = Call Letter Search
/C = Return to last item screen (slash cmd)
CA = Catalog listing screen (Local cmd)
H/ = Holdings listing
H = Holdings screen (Local cmd)
HELP = Local help for current screen
/HELP = General help screen
L/ = Videodisk operation (Inaccessable)
M/ = Call Letter Search
MARC = Data file of the book or magazine (Local cmd)
NS = Next Screen (local cmd)
P/ = Professor Reserve listing
PS = Previous Screen (local cmd)
Q/ = Course ID reserve listing
S = Special Book Status (local cmd)
S/ = Subject Search
SHOW = returns user to item list screen (Local cmd)
T/ = Title Search
/T = Show Date and Time (slash cmd)
W/ = Word Search (Inaccessable)
X/ = Videodisk operation (Inaccessable)

The two slash commands, C and T, are interesting because they aren’t
exactly in the normal input format. The /C command is especially powerful
because although PS no longer returns you to the last screen after you type
/HELP, /C always will. Note that four commands aren’t implemented in this
version of VTLS. Not being one to miss a chance for social engineering,
I asked various librarians some questions and managed to piece together a
rough outline of what is going on. Word search (and its boolean couterpart)
and videodisk services were a part of VTLS when it was first conceived, and the
code that ran them was part of the original system. If, however, these
commands were accessed by someone without the proper hook-ups, the terminal
crashed. As a result, these features were removed. Another problem
encountered was the fact that the terminals could send control sequences
(holding down the control key while hitting another key) that messed with the
system. These have been rendered harmless. Some control sequences are:

CTRL-G = Beep
CTRL-H = Backspace
CTRL-I = Who knows (just beeps)?
CTRL-J = Linefeed only
CTRL-M = Return and Linefeed
CTRL-P = Space
CTRL-X = Prints “!!!” and then return
CTRL-Y = Break key (this used to cause trouble)
CTRL-1 = Displays special characters & turns off scrolling
CTRL-2 = Turns off effects of CTRL-1
CTRL-4 = Turns KeyBeep On/Off
CTRL-6 = Slow Cursor Flash
CTRL-7 = Fast Cursor Flash
CTRL-8 = Fastest Cursor Flash
CTRL-9 = Turns Cursor into an Underline
CTRL-0 = Screen Blowup (alternates between “U” and “*”)
CTRL-Home = Clears Screen

Novice vs. Advanced Searches on VTLS
Normally the user operates in novice mode, but enterprising people
have discovered some advanced features including many more help screens than at
first imagined. Simply type “?” and then to get the Novice User’s
menu. Though only 7 choices are displayed, there is more than meets the eye.
Info about any of the advanced services can be obtained by typing in the
following command structure : “# ?”. The pound sign (#) represents the number
of the service you wish to get advanced help on. What follows is a list of
currently known numbers and what they mean:

1 = Author
2 = Subject
3 = Title
4 = Call Number
5 = ISSN Search
6 = LSSN Search
7 = ISBN Search
8 = Word Search
9 = Boolean Word Search
10 = Professor Reserve
11 = Course ID Reserve
100 to 110 = Reserve Module Numbers (unused)

The Reserve Module is another one of those things that has been
discontinued. There also seems to have been an Acquisitions module, that the
main offices on the Sixth Floor might have used, but I don’t know the numbers
for it.

Announcing a 1-800 scan! This phreaker pastime is being resurrected
around campus by several interested parties. Pick an exchange (i.e. 1-800-XXX)
and dial as many numbers as you can, recording the ones that are answered or
return weird noises. The numbers in each exchange go from 1-800-XXX-0000 to
1-800-XXX-9999. This activity is PERFECTLY LEGAL, but the fone company has
been known to get suspicious of calling patterns where numbers in sequence are
dialed. If this happens, tell them that you aren’t harrassing anyone or
frauding the fone company. It’s free, & informative. To get you started, here
are some I have collected (if they don’t work anymore, please tell me):

1-800-221-0226 NBA Hotline
1-800-221-2000 TWA Reservations
1-800-221-2014 Extender
1-800-221-4945 Women USA News
1-800-221-9735 Carrier
1-800-222-0248 Dow Phone
1-800-222-0300 AT&T Toll-Free Wake-Up Service. An AT&T representative will
awaken you in the morning. Call late at night & ignore initial voice messages.
1-800-225-8456 AUTONET
1-800-228-1111 VISA Credit Check
1-800-228-8777 Zip Code Information
1-800-238-5342 National Cotton Council
1-800-242-4022 Los Angeles Smog Report
1-800-248-0151 White House Press
1-800-252-0112 USC Newsline
1-800-253-9892 Up-Time Distribution
1-800-321-1082 Navy Finance Center
1-800-321-3048 Beepers
1-800-321-3049 Beepers
1-800-321-3052 Beepers
1-800-321-3074 Beepers
1-800-323-1146 Carrier-like sounds
1-800-323-1151 Long Distance Diverter
1-800-323-2005 Carrier
1-800-323-3107 Carrier
1-800-323-4279 Carrier
1-800-323-4297 Asks for 7-digit access code
1-800-323-4298 Special Operators
1-800-323-4313 PBX (Private Branch Exchange)
1-800-323-4354 Special Operators
1-800-323-4376 Carrier
1-800-323-4377 Carrier
1-800-323-4462 Carrier
1-800-323-8021 High tone
1-800-323-8039 PBX
1-800-325-0887 Arts Program Guide
1-800-325-9999 Strange tone, then silence
1-800-327-0000 “Announcement three, Dallas” (changes sometimes)
1-800-327-6764 AUTONET
1-800-331-1323 Direct Connection with French Operators
1-800-331-3701 Shell Credit Center
1-800-336-0149 TYMNET Offices
1-800-336-3366 “The Source” Customer Service
1-800-342-1105 Tone
1-800-342-1108 Tone
1-800-342-1143 800 Operator
1-800-342-1119 LOUD Tone
1-800-343-2903 Call America Long Distance Service
1-800-343-6400 PBX with recording
1-800-362-7171 MASTERCARD/VISA No.
1-800-367-4710 San Bernadino Smog Report
1-800-368-1017 Test Number
1-800-368-1018 Test Number
1-800-368-5468 “Satelite Network Control”
1-800-368-5500 Coin Update
1-800-368-5634 MCI Update
1-800-368-5640 Senate Update
1-800-368-5642 Nuclear Regulatory Commission Op.
1-800-368-5667 Business Line
1-800-368-5693 Republican Talk Line
1-800-368-5744 AFL-CIO News Service
1-800-368-5814 National Association of Realtors
1-800-368-5833 American Heritage Foundation
1-800-368-5844 Communications Satelite Corporation
1-800-368-5939 White House Operator
1-800-424-0124 Office of Education News
1-800-424-2424 American Federation of Teachers
1-800-424-5040 N.A.M. Newsline
1-800-424-5201 Export&Import Bank
1-800-424-5900 PBX
1-800-424-6200 Odd Service
1-800-424-8086 National Education Association
1-800-424-8530 Housing & Urban Development
1-800-424-8807 Dept. of Transportation
1-800-424-9090 White House Press Office
1-800-424-9128 Dept. of Energy Newsline
1-800-424-9129 Ditto, but in Spanish
1-800-424-9180 COMMANDER II
1-800-424-9440 COMMANDER II
1-800-424-9494 TELEMAIL
1-800-424-9820 Citizen’s Choice News
1-800-424-9864 Edison Energy Line
1-800-521-8426 RSX-11
1-800-524-0000 “Announcement one, Atlanta”
1-800-525-3056 Cattleman News
1-800-525-3085 Cattleman News
1-800-525-7623 American Express Current Exchange Rate
1-800-526-2000 “You’ve got equipment problems?”
1-800-527-2011 Credit Authorization
1-800-527-2551 Carrier
1-800-528-2121 American Express Voice Credit
1-800-544-6363 Alliance Teleconferencing
1-800-548-0000 “Announcement two, Chicago”
1-800-555-8111 See 1-800-222-0300. This is an alternative.
1-800-621-4562 ?????
1-800-621-8094 American Medical Association
1-800-631-1147 Beepers
1-800-645-5350 UNKNOWN
1-800-622-0858 California Medical Association
1-800-882-1061 AT&T Stock Prices

Downloaded from P-80 Systems……